I am working to leverage the below query for 'Stale Account Usage' from Splunk Security Essentials Docs, which uses lookup "account_status_tracker".

The  'How to Implement' guidance includes: "The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in Common Information Model format. " 

From the "Add New" lookup webpage, it is not clear how I assign an appropriate "Lookup File" that will the necessary fields in CIM format. I have looked through Splunk docs and other likely resources, with no strong hits. I admit this is an area new to me. 

My question is: what steps do I need to take to define this lookup, including assigning an appropriate "Lookup File"?  When I select existing authentication-related files as the "Lookup File", I receive error messages, for example:  "Cannot find the destination field 'count' in the lookup table...

And leads greatly appreciated. 

index=* source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| multireport
[| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-90d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ]
[| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker
| where this_only_exists_to_update_the_lookup='so we will make sure there are no results']